• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
 
RealMe vs CardSpace, OpenID & X.509OverviewThe Identity and Access Management world is buzzing with new ideas including apromising technology called OpenID. The hope of OpenID is that a user can haveone place they log into on the internet for their entire web browsing needs thussimplifying the current sea of username/passwords that users and websites keeptrack of.This white paper explores the practical side of OpenID and related technologiesfrom a Software as a Service vendor’s point of view. CardSpace from Microsoft andSAML relationships in general are discussed with advantages and challenges of eachtechnology offered.Finally, the RealMe authentication system from GlobalCrypto is presented.OpenIDOpen ID is a shared identity service, which allows Internet users to log on tomany different web sites using a single digital identity, single sign-on,eliminating the need for a different user name and password for each site. OpenIDis a decentralized, free and open standard that lets users control the amount ofpersonal information they provide.An OpenID is in the form of a URL. This URL can be the domain name of your ownwebsite, or the URL of an OpenID identity provider. When you log in with anOpenID, you have to log in to the identity provider for validation.Using OpenID-enabled sites, web users do not need to remember traditional items ofidentity such as username and password. Instead, they only need to be registeredwith any OpenID "identity provider" (IdP). Since OpenID is decentralized, anywebsite can use OpenID as a way for users to sign in; OpenID does not require acentralized authority to confirm a user's digital identity.Windows CardSpaceCardSpace (codenamed InfoCard), is Microsoft's client software for the IdentityMetasystem. CardSpace is an instance of a class of identity client software calledan Identity Selector. CardSpace stores references to users' digital identities forthem, presenting them to users as visual Information Cards. CardSpace provides aconsistent UI that enables people to easily use these identities in applicationsand web sites where they are accepted.Observations on CardSpace & OpenIDAt first glance OpenID solves a very prominent problem on the internet: Users havetoo many passwords to remember. The promise of OpenID is to allow a singlecredential to be used as your authentication for many (all?) of your internetinteractions. Card Space seeks to extend simple authentication by attachingattributes to your identity such as physical location and age and makes the OpenIDsolution a little more flexible yet fuzzy at the same time.Note that when you use CardSpace you are still required to authenticate to theIdentity Provider!A Practical Engineer’s impression of the OpenID system is that there are a lot ofmoving parts. A Service Provider has to redirect initial requests for service toa second party which performs authentication of the end user. This second party
 
may be an Identity Provider or in the case of CardSpace, another layer ofindirection to a third party which must be chosen by the user at runtime based ona selection of possible third party ID providers of information. These types ofuser-centric identity systems do not offer server-side revocability of credentialsand in the case of Card Space are not uniformly cross platform, do not featureexportability/mobility of credentials, use the same cryptographic keys for allservices, cannot provide bi-directional trust even while requiring HTTPS, andlargely force implementation on .NET platforms.The real drawback to OpenID and CardSpace is a practical one which a Businessmanwill immediately recognize as an issue of contractual trust. As long as any partyon the internet can issue OpenID credentials businesses which need tofundamentally know their customers those businesses will not be able to acceptstrictly open credentials. Many large internet service providers are alreadylimiting the set of Identity Providers that they will accept as legitimate ID—evenin the absence of physical attribute data such as physical location, age orgender. This makes business sense for providers of valuable web services sincemost businesses have few trusted partners that they are willing to delegatecustomer tracking to. Customer information is too valuable and the risk of legalaction in the event of breech of account access is often likely.Imagine if a city allowed college students to create their own IDs to be able topresent at any time for any identification purpose. Bars subject to strict lawsforbidding them to serve alcohol to anyone younger than the legal drinking agewould quickly reject the new IDs since self issued credentials are worthless forthe purpose of proving age. Bars would quickly seek to implement another methodfor proving identity. In this contrived scenario, the open IDs would be good forapplications where the actual identity of a presenting individual wasn’tultimately important. Think of business mixers where everyone wears “Hello, myname is…” tags where everyone writes in their name and company. You can lieabout your name or company, but what’s the point?The online equivalent of these “Hello tag” events are simple social networks,blogs and other semi-anonymous forums. OpenID will be a boon to these types ofapplications where there isn’t much commerce and the actual identity ofindividuals isn’t all that important.For business applications on the internet that require an intimate interactionwith each user, open ID makes less sense. However there is a middle ground wheretwo companies can have a trusted relationship using concepts from Open ID. ManySaaS vendors already segregate accounts by corporation which makes a lot of sense.An example of this type of segregation is SalesForce.com. Each company that usesSalesForce has a number of users that have access to that particular company’sdata. As employees come and go an administrative rep from the company adds anddeletes credentials for each employee to access SalesForce.When several other SaaS vendors are engaged by the above mentioned company thesame administrator needs to add credentialed access to each employee for the newservice. By spinning up an OpenID style ID provider service for his company andestablishing a trusted relationship between each SaaS vendor and his new IdProvider, the corporate administrator can add one credential per employee andeffectively have a Web Single Sign On in place through the use of techniques inOpenID.X.509 CertificatesThe internet relies on X.509 certificates to enable HTTPS sessions between a userand a website. HTTPS sessions are important because they encrypt a browsing
 
session thereby thwarting packet sniffers. Certificates contain physicalinformation about the presenter of the certificate such as company and address aswell as the presenter’s public key. The information bundle is then presumablychecked for accuracy and digitally signed by a Certificate Authority such asVeriSign or Thawte. Ideally, a user would also obtain an individual certificateand present it to the website during the HTTPS negotiation which would prove eachside’s identity to the other side. This type of negotiation is known as bi-directional certificate exchange and is widely acknowledged to be one of thestrongest forms of authentication available on the internet. The questionremains, however, of why this type of authentication is not prevalent today?Certificates are theoretically strong, but they have several practical drawbacks.First of all, certificates are very expensive with individual certificates runningin the hundreds of dollars annually. Secondly, certificates are very complicated.If you have ever applied for a certificate you are undoubtedly familiar with theterms “Certificate Signing Request”, “pem file”, “PKCS” and other cryptic termsthat usually mean that the next few hours of your day are ruined. Applying for acertificate is no fun for seasoned pros and is impossible for the average human.Additionally, once you obtain your certificate and its corresponding private keyfile there is the matter of where to put it so that your web server or browser canabsorb and utilize the information. Installing a certificate is not for thefaint of heart and universally involves reading dry instruction pages andmanipulating dusty corners of your software configuration that rarely see thelight of day.Moreover, with bi-directional certificate exchange there is the matter of how youmight revoke a certificate once it is issued. Currently there is a questionablemechanism called Certificate Revocation Lists where a browser or other piece ofsoftware is required to traverse a chain of certificates that vouch for each childcertificate until the root certificate is reached. In each traversal there is apotential that a particular certificate has been revoked and should not be used.Modern web browsers frequently ignore this feature and even if the browsers didhonor the CRLs it takes some time for the CRLs to get distributed across theinternet.Bottom Line: certificates have great math, lousy operability and cost a fortune.State of the industryWhen the state of the industry is taken in totality there are several promisingpieces to the authentication puzzle that show the way to a better authenticationmethodology. The math behind bi-directional certificate exchange is very solid.The user experience of card space is instructive—people understand images assymbols of identity. OpenID and its SAML protocol is a good framework forexchanging authentication information.This brings us to the RealMe authentication system.RealMe OverviewThe RealMe authentication system from GlobalCrypto leverages the proven math thatexists in bi-directional certificate exchange and removes the operational problemsthat prevent certificates from becoming the preferred method of authentication onthe internet. Moreover, RealMe can leverage the technology behind OpenID when itis deployed in a Web Single Sign On configuration to provide Identity claims froma corporation to a trusted web service.RealMe works by inserting cryptographic information into a digital image,splitting that image between a user and an authenticating party and laterexchanging these image halves to accomplish a strong, bi-directionalauthentication.
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...